The U.S. Securities and Exchange Commission said Wednesday hackers broke into its electronic document storage system last year.
The hackers may have traded on information they found, the SEC said.
SEC chairman Jay Clayton issued a long statement Wednesday about the SEC’s cybersecurity.
He said the hack exploited a software weakness in Edgar — the Electronic Data Gathering, Analysis and Retrieval system.
The agency patched the vulnerability and is still investigating the source of the hack.
SEC flings by public companies and regulated financial firms and advisers are held by Edgar.
Clayton said the SEC discovered the hack in 2016. It detected possible illegal trading related to the hack in August this year.
In addition to outside hackers, Clayton said the SEC is vulnerable to unauthorized access by its own personnel and by vendors.
The SEC “employs an agency-wide cybersecurity detection, protection and prevention program for the protection of agency operations and assets,” Clayton said.
The program includes cybersecurity protocols and controls, network protections, system monitoring and detection processes, vendor risk management processes, and regular cybersecurity and privacy training for employees, according to Clayton.
“[W]e expect to hire additional expertise in this area,” Clayton said in his statement.
SEC filings are eventually made public through the searchable Edgar system.
It isn’t clear how the hackers exploited Edgar. They may have used early access to company filings to trade on non-public information.
Richard L. Cassin is the publisher and editor of the FCPA Blog.